SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

TOP OF THE NEWS

Brian Krebs examines reasons why Russia and countries that were formerly part of the Soviet Union produce greater numbers of skilled hackers than the US produces. Students in those countries are required to study computer science from an early age, while in the US, the subject is not mandatory and is not even offered in all schools. The approach to teaching computer science in Russia differs greatly from the approach in US schools. Russian students have far more hands-on experience than do their US counterparts.
[Editor Comments]
[Shpantzer] Many countries have kids graduating from high school with STEM knowledge equivalent to juniors in any given American college. This is not an accident, but a strategic decision.
[Assante] The world has begun embarking on a digital transformation and the architects are turning to places like Eastern Europe, Russia, and India for the technical brick-layers to build our future. Children in western societies have the digital exposure, but would benefit from the opportunity to go behind the applications that are a routine part of their young lives.
[Northcutt] We have known about our educational shortfall for a long time, sadly the articles on the subject remind me of "global warming"; there are so many "loud" voices and publications it is hard to know what to believe, but this is a pretty accurate STEM article that hits home and addresses the "myth" problem head on:
http://www.cio.com/article/2381541/careers-staffing/stem-talent-shortfall-frustrates-tech-recruiters.html
Read more in:
KrebsOnSecurity: Why So Many Top Hackers Hail from Russia
https://krebsonsecurity.com/2017/06/why-so-many-top-hackers-hail-from-russia

A South Korean web hosting company has agreed to pay paid 1.3 billion won (1.14 million USD) to attackers after its systems became infected with ransomware that affected more than 150 servers. The servers support websites of more than 3,400 small businesses. The web hosting company, Nayana, was running outdated software.
[Editor Comments]
[Shpantzer] Availability is the new confidentiality. Server-side ransomware is (almost) a full kill-chain activity that offers multiple opportunities for detection and interdiction before the servers go boom: initial exploit on perimeter (ex: auth bypass on perimeter server), webshell installation on perimeter server, lateral movement on the network, identity logs for reused creds, newly installed software, some C2, etc.
[Williams] Organizations that rely on third party service providers (that's almost all of us) should run tabletop exercises asking "how would we respond if our web hosting provider went offline for weeks." That's the situation many South Korean businesses found themselves in, and most were not ready.
[Honan] A good example of why "accepting the risk" may not always be the most prudent course of action
Read more in:
The Register: South Korean hosting co. pays $1m ransom to end eight-day outage
http://www.theregister.co.uk/2017/06/20/south_korean_webhost_nayana_pays_ransom/
ZDNet: Korean web host hands over 1 billion won to ransomware crooks
http://www.zdnet.com/article/korean-web-host-hands-over-1-billion-won-to-ransomware-crooks/
BBC: South Korean firm's 'record' ransom payment
http://www.bbc.com/news/technology-40340820
*************************** SPONSORED LINKS ********************************
1) Don't Miss: "Putting Digital Threat Investigation and Response into Hyperdrive" with Dave Shackleford.
Register: http://www.sans.org/info/195890
2) Register for "Automating Cloud Security to Mitigate Risk" and receive the associated whitepaper by Dave Shackleford.
http://www.sans.org/info/195895
3) Where are your application-related risks? Take SANS survey enter to win free Pass to SecDevOps Summit OR a $400 Amazon gift card.
http://www.sans.org/info/195900
******************************************************************************

THE REST OF THE WEEK'S NEWS

Western technology companies, including Cisco, IBM and SAP, are acceding to demands by Moscow for access to closely guarded product security secrets, at a time when Russia has been accused of a growing number of cyber attacks on the West, a Reuters investigation has found.
Read more in:
Under pressure, Western tech firms bow to Russian demands to share cyber secrets
http://www.reuters.com/article/us-usa-russia-tech-idUSKBN19E0XB

--NSA Tools Released by Shadow Brokers Used in Devious Attacks
(June 22, 2017)

While the media has focused attention on WannaCry ransomware, the NSA exploit known as EternalBlue that is used in that malware has been used in tandem with another NSA exploit called DoublePulsar to burrow into the kernels of computer systems.
[Editor Comments]
[Williams] SANS broke the "attackers were using EternalBlue to perform much more advanced attacks" story with SECDO more than a month ago. https://www.sans.org/webcasts/105190 But this story is still significant.
Read more in:
NYT: A Cyberattack 'the World Isn't Ready For'
https://www.nytimes.com/2017/06/22/technology/ransomware-attack-nsa-cyberweapons.html

--FBI 2016 Internet Crime Report
(June 22, 2017)

The 2016 Internet Crime Report from the FBI's Internet Crime Complaint Center (IC3) provides information about trends in online crime. In 2016, more than 10,000 incidents of tech support fraud were reported to IC3, with losses totaling nearly 8 million USD. Other trends noted in the report are email compromise, ransomware, and extortion.
[Editor Comments]
[Shpantzer] Some of the business email compromise (AKA spoofing the CEO/CFO) are very low tech. Zero malware and almost as few financial controls to backstop the fraud. See Ubiquiti case from 2015, where $46 million flew out the window, in a public company, ostensibly SOX compliant... https://krebsonsecurity.com/2015/08/tech-firm-ubiquiti-suffers-46m-cyberheist/ The Audit Committee head on the Board of Directors was fired and they brought in a consulting firm to reconstitute financial controls... and of course had to report to SEC. Can we say 'business risk' now?
[Honan] It's interesting to note the top issues of Business Email Compromise, otherwise known as CEO fraud, Ransomware, and Tech Support scams are the issues law enforcement in many other countries also face. It's also worth noting that these crimes are not the result of any sophisticated attacks and can be prevented in many cases by basic security controls, such as the Top 20 critical security controls, and effective awareness training.
Read more in:
FBI: IC3 Releases Annual Report Highlighting Trends in Internet Crime
https://www.fbi.gov/news/stories/ic3-releases-2016-internet-crime-report
IC3: 2016 Internet Crime Report
https://pdf.ic3.gov/2016_IC3Report.pdf

--HHS Cyber Center: A Good Idea or Not?
(June 21, 2017)

Earlier this year, the US Department of Health and Human Services (HHS) said it plans to establish a cybersecurity center for the healthcare sector. Legislators have expressed concerns that the center could actually make it more difficult for private sector organizations to navigate the jumble of cybersecurity regulations and compliance.
Read more in:
FCW: Why an HHS cyber center could confuse federal efforts
https://fcw.com/articles/2017/06/21/hhs-cyber-center-hearing-hsgac.aspx

Microsoft has admitted that it temporarily disables some third-party security software in machines running Windows 10 if the software is deemed to be incompatible with the operating system. Microsoft bundles Windows Defender with Windows 10 to ensure "that every Windows 10 device always have protection from viruses and malware." Most users are running security tools that are compatible with Windows 10, but on computers that are running incompatible tools, Microsoft temporarily disables parts of the software while Windows 10 is being updated.
[Editor Comments]
[Neely] When your AV subscription expires, or your AV is incompatible, Windows 10 alerts you it is activating Defender. While the goal was to keep systems protected, this behavior is quite surprising to an end user as it wasn't disclosed. While Microsoft claims Defender has improved as a solution for home and enterprise users, AV-Test and AV Comparatives testing show improvements, they still list Defender outside their top choices.
Read more in:
The Register: Microsoft admits to disabling third-party antivirus code if Win 10 doesn't like it
http://www.theregister.co.uk/2017/06/20/microsoft_disabling_thirdparty_antivirus/
ZDNet: Windows 10 does temporarily disable third-party antivirus, admits Microsoft
http://www.zdnet.com/article/windows-10-does-temporarily-disable-third-party-antivirus-admits-microsoft/
BBC: Microsoft admits disabling anti-virus software for Windows 10 users
http://www.bbc.com/news/technology-40356889